[xmlsec] DigestValue, xmlsec failure, need guidance.
Artur BUJDOSO
artur.bujdoso at saveas.hu
Wed Mar 10 07:25:05 PST 2004
Hi all,
First, thanks for everyone who answered to my DigestValue woes, it was
valuable to understand some fundamental things.
In advance, sorry for the long letter, but I really ripped all of my
hair out, because of this problem.
It's about the following:
I successfully compiled xmlsec with libssl0.9.6 under my weird dev
environment, and tried to verify a soap-xml content.
Here's what I got from both the online verifier, and the compiled test
suite:
func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
library function failed:expr=xpointer(id('Body'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
library function failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec
library function failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2332:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec
library function failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1168:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec
library function failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1228:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec
library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1564:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
library function failed: dsigctxverify 0
The only thing I'd use XMLSEC for (at least this time) is t verify the
DigestValue for me. Unfortunately I tried all kind of canonization with
LIBXML2, and the resulted hash never matched.
Here is the questioned SOAP XML file too:
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header><wsse:Security><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#Body">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
gW/NIK4dF3OiSOwKgJQhTh/18Eb0IqyDHOLY+JeizHmBkhr+9hlt0/BaHS5lE7YtvmwpJlONe9pM
yrLb6gLuvJaHYrmFQua2hqviZfZztftjHEz8pzntbbir1KnVs8VaKyaz53qHG+Tvx2yHnVFWuK/A
TRy/MzUClQqTBiP32sk=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICKTCCAZICAQEwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCSFUxEDAOBgNV
BAgTB0h1bmdhcnkxETAPBgNVBAcTCEJ1ZGFwZXN0MQ0wCwYDVQQKEwRQR1NNMQsw
CQYDVQQLEwJJVDELMAkGA1UEAxMCQ0EwHhcNMDQwMTA2MTMyNTE0WhcNMDUwMTA1
MTMyNTE0WjBfMQswCQYDVQQGEwJIVTEQMA4GA1UECBMHSHVuZ2FyeTERMA8GA1UE
BxMIQnVkYXBlc3QxDTALBgNVBAoTBFBHU00xCzAJBgNVBAsTAklUMQ8wDQYDVQQD
EwZDbGllbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMv6aV7k7ck5liSy
1Qa0LXdayrMuRYvvZcmc0K2Q7PvwNSHAAZRMzxgNkW8Ze+BYffeVUu/qoamZ8t7T
T5wsPuUU6qUMGSa9DZVcRhAh0H+hLuo2grJkEajr/G+kjYQ1hFkInlGL0ZaLDrni
lXBn3RvQRmBYuc5mLAvnFrfadMAbAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAL80K
uXBxfA1727OvzBidkXiUbmZ9fHS2G7IJFxMLwF+XtK8FlzfNb+1ip/hdZK+sz3sj
nn+YyWeq2l2OcrhHW1bOsWSZFwB71Tu4G15UglsmwgUKyPwNWjVzZpnKJJ+JKkEU
QY6DV9WnZ1cuT/04X6J+GKLBGwYX0MZox67g1f4=
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
u1pEigQWu1X9A3qKLZRPFXg2uA1Ksm+cVL+86HcqnbnwaLuV2TFBcHqBS7lIE1YtxwjhhEKrwKKS
q0RcqkLwgg4C6S/7wju7vsknCl22sDZCM7VuVIhPh0q/Gdr5FegPh7Yc48zGmo5/aiSS4/zgZbqn
sX7vyds3ashKyAkG5Jk=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature></wsse:Security> </soapenv:Header>
<soapenv:Body>
<CPDownSynchron xmlns="urn:soap.genie.pgsm.hu">
<in xmlns="">
<m_ContentInfo>
<m_AckToCP>ESoapACKTR_OK</m_AckToCP>
<m_AckToSubscriber>ESoapACKYES</m_AckToSubscriber>
<m_Tariff>
<m_NettoPrice>240.0</m_NettoPrice>
<m_VAT>25.0</m_VAT>
<m_InvoiceText>java:InvoiceText</m_InvoiceText>
</m_Tariff>
<m_ObligatedOfCharges>java:Obligated</m_ObligatedOfCharges>
<m_Fulfilment>
<m_OriginOfError>ESoapORIG_PGSM</m_OriginOfError>
<m_StatusCode>1</m_StatusCode>
<m_AckText>java:AckText</m_AckText>
</m_Fulfilment>
<m_SchemaName>java:SchemaName</m_SchemaName>
<m_SubId>1123</m_SubId>
<m_UseDefaultFlow>true</m_UseDefaultFlow>
<m_ServiceNumber>+36209112233</m_ServiceNumber>
</m_ContentInfo>
<m_pContentBlocks>
<m_Type>ESoapPLAIN</m_Type>
<m_SuccessCriteria>ESoapALL</m_SuccessCriteria>
<m_SuccessOfSingle>1</m_SuccessOfSingle>
<m_NumMessages>1</m_NumMessages>
<m_Messages>0</m_Messages>
<m_TrSuccessIfNotSucceed>false</m_TrSuccessIfNotSucceed>
<m_TrSuccessIfSucceed>true</m_TrSuccessIfSucceed>
</m_pContentBlocks>
<m_pCBMessages>
<m_Recipient>java: recipient</m_Recipient>
<m_Sender>java: sender</m_Sender>
<m_TimeOfSending>2004-02-12T13:35:12.000Z</m_TimeOfSending>
<m_SuccessCriteria>ESoapSENT</m_SuccessCriteria>
<m_bNeedDeliveryReport>false</m_bNeedDeliveryReport>
<m_MessageContentId>0</m_MessageContentId>
</m_pCBMessages>
<m_pCMessageContents xsi:type="ns1:CMessageContentSMS"
xmlns:ns1="urn:soap.genie.pgsm.hu">
<m_DestinationAddress>java:destination</m_DestinationAddress>
<m_OriginatorAddress>java:origAddress</m_OriginatorAddress>
<m_OriginatorAddressPostfix>ori</m_OriginatorAddressPostfix>
<m_UserData>Test sms</m_UserData>
<m_ProtocollIdentifier>1</m_ProtocollIdentifier>
<m_DataCodingScheme>1</m_DataCodingScheme>
<m_OriginatedIMSI>java:originatedIMSI</m_OriginatedIMSI>
<m_OriginatedVisitedMSCAddress>java:origVisit</m_OriginatedVisitedMSCAddress>
<m_AlphanumericOriginatingAddress>originatingAddress</m_AlphanumericOriginatingAddress>
<m_Cancel>ESoapSMSCancelUndefined</m_Cancel>
<m_Priority>1</m_Priority>
<m_ServiceDescription>1</m_ServiceDescription>
<m_TariffClass>1</m_TariffClass>
<m_ReplyPath>ESoapReplyPathUndefined</m_ReplyPath>
<m_ValidityPeriodType>ESoapValidityPeriodUndefined</m_ValidityPeriodType>
<m_FirstDeliveryTimeType>ESoapFirstDeliveryTimeUndefined</m_FirstDeliveryTimeType>
<m_ValidityPeriodValue>445566</m_ValidityPeriodValue>
<m_FirstDeliveryTimeValue>-2</m_FirstDeliveryTimeValue>
</m_pCMessageContents>
</in>
</CPDownSynchron>
</soapenv:Body>
</soapenv:Envelope>
If anyone would tell me, how to canonize properly, and verify the
DigestValue hash, that would be a great help, or to point out the
failure in the SOAP XML content, that XMLSEC tries to tell me.
I have a limited ability to alter the document that arrives
(practically, nothing), and I have to find a way to verify its
integrity. I don't even know whether the hash in the document is right
or not.
This document violates no business rights, and "published" with
permission, since it contains no "dangerous" elements. I'm aware of the
tampered certificate too, but since I have to verify the DigestValue,
that shouldn't make any difference.
Any help would be appreticated.
Sorry for the long letter again.
Artur Bujdoso
More information about the xmlsec
mailing list